Building Security In vs Auditing

[ljknews at mac.com (ljknews)]

At 9:46 AM -0500 1/2/07, McGovern, James F (HTSC, IT) wrote:

> I read a recent press release in which a security vendor (names removed
> to both protect the innocent along with the fact that it doesn't matter
> for this discussion ) partnered with a prominent outsourcing firm. The
> press release was carefully worded but if you read into what wasn't said,
> it was in my opinion encouraging something that folks here tend to fight
> against. The outsourcing firm would use this tool in an auditing capacity
> for whatever client asked for another service but it would not become
> part of the general software development lifecycle for all projects. 
>
> - It didn't mention any notion of all developers within the outsourcing
> firm having tools on their desktop to audit as they develop

> From the information supplied, it is not clear that the tool is something
appropriate for the development environment.  I develop a tool that could
be used in a (certain) development environment, but that would only tell
how the development environment was secured, having no effect on the degree
to which the outsourced code was secure.

> - It didn't mention any notion of training all developers within the
> outsourcing firm on secure coding practices

> From the information supplied, it is not clear that the security vendor
is one that would be involved in training anyone.  Limitations on a
joint press release (one that names another company) are subject to
severe negotiations.  Even if the security firm _was_ going to do what
you suggest, I can see a PR flack at the outsourcing firm resisting any
public suggestion that any of their staff needed further training on any
aspect of data processing.
-- 
Larry Kilgallen